Blob Blame Raw
From 985b7cfbd45960bb74a13ad8044765a8e35f2251 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Sun, 4 Mar 2012 12:41:11 +0100
Subject: [PATCH 140/140] usb-ehci: sanity-check iso xfers

This patch adds a sanity check to itd processing to make sure the
endpoint addressed by the guest is actually an iso endpoint.  Also
verify that usb drivers don't return USB_RET_ASYNC which is illegal for
iso xfers.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(Cherry picked from: aa0568ff2559d7717f4684af6a83d0bd1a125f56)

[qemu-kvm-1.0: we don't track ep types on RHEL-6 like we do upstream, so we
cannot check if an itd is pointing to a non iso ep in advance, but we do still
need to make sure that we never handle an iso xfer async. So check if the
device does want to handle it async, and if so cancel the xfer and treat it as
a NAK, like upstream does when the ep type check fails.]

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
 hw/usb-ehci.c |    4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/usb-ehci.c b/hw/usb-ehci.c
index ad0f6e1..b5d7037 100644
--- a/hw/usb-ehci.c
+++ b/hw/usb-ehci.c
@@ -1485,6 +1485,10 @@ static int ehci_process_itd(EHCIState *ehci,
                     itd->transact[i] |= ITD_XACT_BABBLE;
                     ehci_record_interrupt(ehci, USBSTS_ERRINT);
                     break;
+                case USB_RET_ASYNC:
+                    /* ISO endpoints are never ASYNC, not an iso endpoint? */
+                    usb_cancel_packet(&ehci->ipacket);
+                    /* Treat this as a NAK (fall through) */
                 case USB_RET_NAK:
                     /* no data for us, so do a zero-length transfer */
                     ret = 0;
-- 
1.7.9.3